RealTime IT News

Report: Credit Cards Plentiful in Crime Networks

A report from Verizon Business says that businesses are making it easier than it should be to steal critical data. As criminals innovate, businesses are ever more vulnerable, and many fail to comply with even basic security standards such as PCI DSS, the credit card industry's data security standard.

Past security failures have flooded the underground market with credit cards, according to the 2009 Data Breach Investigations Report from Verizon Business' Response Intelligence Solutions Knowledge (RISK) team, which summarizes the lessons learned from investigations into 90 security breaches during 2008.

Credit cards are not valuable any more, so criminals now want PIN numbers. Earlier this week, Symantec reported that credit card data can sell for as little as six cents in online criminal markets, which consist of "various forums, such as websites and Internet Relay Chat (IRC) channels, which allow criminals to buy, sell, and trade illicit goods and services." Verizon reports the value of credit card data at fifty cents, down from a minimum of $10 in mid-2007.

In contrast, Symantec said, bank credentials can sell for $10 or more. Verizon did not disclose a price for PIN data, but said, "the big money is now in stealing personal identification number (PIN) information together with associated credit and debit accounts."

Since PIN data is worth more, criminals are investing in malware tools specifically designed to obtain it. The tools are working, said Verizon, leading to "the successful execution of complex attack strategies previously thought to be only theoretically possible."

Victims lose money since PIN fraud typically leads to cash being withdrawn directly from the consumer's account. Victims will also find it harder to prove that an ATM withdrawal was fraudulent than, for example, a credit card transaction. "This makes the recovery of lost assets more difficult than with standard credit-fraud charges," the report said.

The blame

What can victims do to prevent the problem before it occurs? The report has suggestions for businesses but none for end users. Others, however, are responding to the report.

Martin McKeay of PCI consultancy TrustWave wrote in his Network Security Blog that those that complain about the cost of security, have "mortgaged the security of their company in favor short term savings. They've assessed the risk and come to the conclusion that it'll be easier to ignore the problem and hope they don't get compromised."

Is it fair to blame the merchants? The report says that 81 percent of the companies covered in the report were not PCI-compliant, meaning that they failed to meet standards set by the credit card industry. On the other hand, 19 percent were compliant and still suffered breaches, the report notes.

Compliance limits but does not eliminate risk, said Verizon security team member Alex Hutton in a blog post called There's nothing wrong with the PCI DSS, noting, "We can be more or less secure, but some risk will always exist."

While the Verizon team urges readers not to rush to judgment, McKeay is ready to do so. He wrote that the merchants covered in the study who were not PCI compliant "played roulette and lost."

Others agreed. "You have to ask yourself which you prefer: take PCI and security seriously, or drive into work one morning and see your president in front of a bunch of film crews explaining how you managed to lose all that payment card information on all those people," wrote Walt Conway of the blog of the Treasury Institute for Higher Education, an organization dedicated to improving the management of money by schools and universities.

Because the report covers actual security events, one commentator found it particularly insightful. "This is not your mother's CSI/FBI survey; this is actually objective data on security (= rare and valuable)!" wrote Anton Chuvakin, director of PCI compliance solutions at security provider Qualys.